📅 Original date posted:2018-05-08
📝 Original message:
On Mon, May 07, 2018 at 09:40:46PM +0200, Christian Decker via bitcoin-dev wrote:
> Given the general enthusiasm, and lack of major criticism, for the
> `SIGHASH_NOINPUT` proposal, [...]
So first, I'm not sure if I'm actually criticising or playing devil's
advocate here, but either way I think criticism always helps produce
the best proposal, so....
The big concern I have with _NOINPUT is that it has a huge failure
case: if you use the same key for multiple inputs and sign one of them
with _NOINPUT, you've spent all of them. The current proposal kind-of
limits the potential damage by still committing to the prevout amount,
but it still seems a big risk for all the people that reuse addresses,
which seems to be just about everyone.
I wonder if it wouldn't be ... I'm not sure better is the right word,
but perhaps "more realistic" to have _NOINPUT be a flag to a signature
for a hypothetical "OP_CHECK_SIG_FOR_SINGLE_USE_KEY" opcode instead,
so that it's fundamentally not possible to trick someone who regularly
reuses keys to sign something for one input that accidently authorises
spends of other inputs as well.
Is there any reason why an OP_CHECKSIG_1USE (or OP_CHECKMULTISIG_1USE)
wouldn't be equally effective for the forseeable usecases? That would
ensure that a _NOINPUT signature is only ever valid for keys deliberately
intended to be single use, rather than potentially valid for every key.
It would be ~34 witness bytes worse than being able to spend a Schnorr
aggregate key directly, I guess; but that's not worse than the normal
taproot tradeoff: you spend the aggregate key directly in the normal,
cooperative case; and reserve the more expensive/NOINPUT case for the
unusual, uncooperative cases. I believe that works fine for eltoo: in
the cooperative case you just do a SIGHASH_ALL spend of the original
transaction, and _NOINPUT isn't needed.
Maybe a different opcode maybe makes sense at a "philosophical" level:
normal signatures are signing a spend of a particular "coin" (in the
UTXO sense), while _NOINPUT signatures are in some sense signing a spend
of an entire "wallet" (all the coins spendable by a particular key, or
more accurately for the current proposal, all the coins of a particular
value spendable by a particular key). Those are different intentions,
so maybe it's reasonable to encode them in different addresses, which
in turn could be done by having a new opcode for _NOINPUT.
A new opcode has the theoretical advantage that it could be deployed
into the existing segwit v0 address space, rather than waiting for segwit
v1. Not sure that's really meaningful, though.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-09 12:50:36
in reply to nevent1q…5pxe
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-09 12:50:36Event JSON
{
"id": "aa4d91fa3a22cdd96b3367b75ef5395141f8b6f42d9fd7a1ef4bbce66e4f9de8",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686315036,
"kind": 1,
"tags": [
[
"e",
"b96952336ac3c9bf98329984da334537047b985c3735bc2f731e82800af0b98a",
"",
"root"
],
[
"e",
"7863f8f2c63b615ec2e09864db928080703c69e57a677a56dd3d0dc4d0062678",
"",
"reply"
],
[
"p",
"fb7007c42a06687e3cd3fbbb1a3b17972e2a949ae679445f6b96579114d05cd9"
]
],
"content": "📅 Original date posted:2018-05-08\n📝 Original message:\nOn Mon, May 07, 2018 at 09:40:46PM +0200, Christian Decker via bitcoin-dev wrote:\n\u003e Given the general enthusiasm, and lack of major criticism, for the\n\u003e `SIGHASH_NOINPUT` proposal, [...]\n\nSo first, I'm not sure if I'm actually criticising or playing devil's\nadvocate here, but either way I think criticism always helps produce\nthe best proposal, so....\n\nThe big concern I have with _NOINPUT is that it has a huge failure\ncase: if you use the same key for multiple inputs and sign one of them\nwith _NOINPUT, you've spent all of them. The current proposal kind-of\nlimits the potential damage by still committing to the prevout amount,\nbut it still seems a big risk for all the people that reuse addresses,\nwhich seems to be just about everyone.\n\nI wonder if it wouldn't be ... I'm not sure better is the right word,\nbut perhaps \"more realistic\" to have _NOINPUT be a flag to a signature\nfor a hypothetical \"OP_CHECK_SIG_FOR_SINGLE_USE_KEY\" opcode instead,\nso that it's fundamentally not possible to trick someone who regularly\nreuses keys to sign something for one input that accidently authorises\nspends of other inputs as well.\n\nIs there any reason why an OP_CHECKSIG_1USE (or OP_CHECKMULTISIG_1USE)\nwouldn't be equally effective for the forseeable usecases? That would\nensure that a _NOINPUT signature is only ever valid for keys deliberately\nintended to be single use, rather than potentially valid for every key.\n\nIt would be ~34 witness bytes worse than being able to spend a Schnorr\naggregate key directly, I guess; but that's not worse than the normal\ntaproot tradeoff: you spend the aggregate key directly in the normal,\ncooperative case; and reserve the more expensive/NOINPUT case for the\nunusual, uncooperative cases. I believe that works fine for eltoo: in\nthe cooperative case you just do a SIGHASH_ALL spend of the original\ntransaction, and _NOINPUT isn't needed.\n\nMaybe a different opcode maybe makes sense at a \"philosophical\" level:\nnormal signatures are signing a spend of a particular \"coin\" (in the\nUTXO sense), while _NOINPUT signatures are in some sense signing a spend\nof an entire \"wallet\" (all the coins spendable by a particular key, or\nmore accurately for the current proposal, all the coins of a particular\nvalue spendable by a particular key). Those are different intentions,\nso maybe it's reasonable to encode them in different addresses, which\nin turn could be done by having a new opcode for _NOINPUT.\n\nA new opcode has the theoretical advantage that it could be deployed\ninto the existing segwit v0 address space, rather than waiting for segwit\nv1. Not sure that's really meaningful, though.\n\nCheers,\naj",
"sig": "58ce84a3b456920756eb56eb305609075ea848f090960ff992839512eee7b197765bccda5944e7011d3c71c645055c1fc2743aa1a1359aa4088243ff6e6514fa"
}